Weitere ähnliche Inhalte Ähnlich wie End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks) (20) Kürzlich hochgeladen (20) End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)1. Copyright © 2014, Palo Alto Networks
End to End Security With
Palo Alto Networks
Onur Kasap
Systems Engineer
November 2014-Kiev
2. PALO ALTO NETWORKS AT-A-GLANCE
CORPORATE HIGHLIGHTS
• Founded in 2005; first customer
shipment in 2007
• Safely enabling applications and
preventing cyber threats
• Able to address all enterprise
cybersecurity needs
• Exceptional ability to support
global customers
• Experienced team of 1,700+
employees
• Q4FY14: $178.2M revenue
Copyright © 2014, Palo Alto Networks
$13
REVENUES ENTERPRISE CUSTOMERS
$49
$255
$MM
$119
$598
$396
$600
$400
$200
$0
FY09 FY10 FY11 FY12 FY13 FY14
4,700
9,000
13,500
19,000
20,000
16,000
12,000
8,000
4,000
0
Jul-11 Jul-12 Jul-13 Jul-14
3. A clear market leader – again
Copyright © 2014, Palo Alto Networks
A leader for 3 years in a row in the
magic quadrant for enterprise network firewalls
4. Applications Have Changed, Firewalls Haven’t
Network security policy is enforced at the
firewall
• Sees all traffic
• Defines boundary
• Enables access
Traditional firewalls don’t work any more
Copyright © 2014, Palo Alto Networks
6. Technology Sprawl and Creep Aren’t the Answer
Copyright © 2014, Palo Alto Networks
Enterprise
Network
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Doesn’t address application “accessibility” features
UTM
IPS DLP IM AV URL Proxy
Internet
7. Competitors Firewall Architecture
Copyright © 2014, Palo Alto Networks
App
Signatures
IPS
Signatures
Virus
Signature
s
URL
Signatures
Application
Policy
Application
Inspection
IPS
Policy
Threat
Inspection
Anti-Virus
Proxy
AV
Inspection
Web Filtering
Policy
URL
Inspection
Packet Inspection Flow
L4 Session
Table
Stateful FW
policy
Port-based
session
Inspection
8. Application Control Belongs in the Firewall
Traffic Port
Port Policy
Decision
Copyright © 2014, Palo Alto Networks
App Ctrl Policy
Decision
Application Control as an Add-on
• Port-based decision first, apps second
• Applications treated as threats; only block what you
expressly look for
Ramifications
• Two policies/log databases, no reconciliation
• Unable to effectively manage unknowns
IPS
Applications
Firewall
Traffic Application
Firewall IPS
App Ctrl Policy
Decision
Scan Application
for Threats
Applications
Application Control in the Firewall
• Firewall determines application identity; across all
ports, for all traffic, all the time
• All policy decisions made based on application
Ramifications
• Single policy/log database – all context is shared
• Policy decisions made based on shared context
• Unknowns systematically managed
9. Evasive Applications
•Yahoo Messenger
•BitTorrent Client
Copyright © 2014, Palo Alto Networks
•Port 80
•Open
Port 5050
Blocked
Port 6681
Blocked
Port-Based Firewall
10. Scenario 1: DNS Traffic
Legacy Firewalls
Firewall Rule: ALLOW Port 53 Firewall Rule: ALLOW DNS
DNS DNS DNS DNS
Copyright © 2014, Palo Alto Networks
Palo Alto Networks Firewalls
with App-ID
Firewall Firewall
Bittorrent
BitTorrent
Packet on Port 53: Allow DNS = DNS: Allow
BitTorrent ≠ DNS:
Deny
Visibility: BitTorrent detected and blocked
BitTorrent
Packet on Port 53: Allow
Visibility: Port 53 allowed
11. Scenario 2: BitTorrent with Application IPS
Legacy Firewalls
Firewall Rule: ALLOW Port 53 Firewall Rule: ALLOW DNS
Application IPS Rule: Block Bittorrent
DNS DNS DNS
DNS DNS
Firewall App IPS Firewall
Bittorrent
Packet on Port 53: Allow DNS=DNS: Allow
Copyright © 2014, Palo Alto Networks
Bittorrent
Bittorrent ≠ DNS:
Deny
Visibility: Bittorrent detected and blocked
Bittorrent
Bittorrent: Deny
Visibility: Bittorrent detected and blocked
Palo Alto Networks Firewalls
with App-ID
12. Scenario 3: Zero-day Malware
Application IPS Rule: Block Bittorrent
Firewall App IPS
Firewall
DNS DNS DNS DNS
Copyright © 2014, Palo Alto Networks
Legacy Firewalls
Firewall Rule: ALLOW Port 53 Firewall Rule: ALLOW DNS
Zero-day C
& C
Packet on Port 53: Allow DNS=DNS: Allow
Command & Control ≠ DNS:
Deny
Visibility: Unknown traffic
detected and blocked
Bittorrent
Visibility: Packet on Port 53 allowed
DNS
Bittorrent
Bittorrent
Zero-day C
& C
Zero-day C
& C
Zero-day C
& C
C & C ≠ Bittorrent: Allow
Palo Alto Networks Firewalls
with App-ID
13. The Answer? Make the Firewall Do Its Job
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment
Copyright © 2014, Palo Alto Networks
.
14. Making the Firewall a Business Enablement Tool
•App-ID™
•Identify the application
•Content-ID™
•Scan the content
•User-ID™
•Identify the user
Copyright © 2014, Palo Alto Networks
16. Single-Pass Parallel Processing™ (SP3) Architecture
Copyright © 2014, Palo Alto Networks
Single Pass
• Operations once per
packet
- Traffic classification (app
identification)
- User/group mapping
- Content scanning –
threats, URLs,
confidential data
• One policy
Parallel Processing
• Function-specific parallel
processing hardware
engines
• Separate data/control
planes
18. PAN-OS Core Firewall Features
Visibility and control of applications, users and content
complement core firewall features
Strong networking foundation
Dynamic routing (BGP, OSPF, RIPv2)
Tap mode – connect to SPAN port
Virtual wire (“Layer 1”) for true transparent
in-line deployment
L2/L3 switching foundation
Policy-based forwarding
VPN
Site-to-site IPSec VPN
Remote Access (SSL) VPN
QoS traffic shaping
Max/guaranteed and priority
By user, app, interface, zone, & more
Real-time bandwidth monitor
Copyright © 2014, Palo Alto Networks
Zone-based architecture
All interfaces assigned to security zones
for policy enforcement
High Availability
Active/active, active/passive
Configuration and session
synchronization
Path, link, and HA monitoring
Virtual Systems
Establish multiple virtual firewalls in a
single device (PA-7050, PA-5000, PA-
3000, and PA-2000 Series)
Simple, flexible management
CLI, Web, Panorama, SNMP, Syslog
PA-7050
PA-5000 Series
PA-5060, PA-5050 PA-5020
PA-3000 Series
PA-3050, PA-3020
PA-2000 Series
PA-2050, PA-2020
PA-500
PA-200
VM-Series
VM-300, VM-200, VM-100,
VM-1000-HV
19. Flexible Deployment Options For Ethernet Interfaces
Tap Mode Virtual Wire Mode Layer 3 Mode
• Application, user and content
visibility without inline deployment
• Evaluation and Audit of existing
networks
Copyright © 2014, Palo Alto Networks
• Application ID, Content ID, User
ID, SSL Decryption
• Includes NAT capability
• All of the Virtual Wire Mode
capabilities with the addition of
Layer 3 services: Virtual Routers,
VPN and, Routing Protocols
21. Why change
Copyright © 2014, Palo Alto Networks
Attackers are more
91%increase in targeted attacks in 2013
sophisticated and well funded
of exploit kits utilize
vulnerabilities less than 2 years old 78%
Launching Zero-Day attacks
is more accessible and common
of breaches involve
a targeted user device 71%
Targeted attacks can only
be solved on the endpoint
22. Flow of a RAT Attack with 0-day Malware
The victim downloads and
installs the malware that takes
the station in the botnet
Copyright © 2014, Palo Alto Networks
Hop Point
Popular
websites(Landing Site)
Malware repository
Víctim
Attacker
(C&C)
The victim visits the URL and
the drive-by download executes
The victim visits the site and is
redirected to the malicious URL
(iframe)
@
The attacker injects the URL, in a
legitimate site preferably, under his
control
23. Attack Stages of a Drive-by Download / Web Attack
Targeted malicious
email sent to user
Copyright © 2014, Palo Alto Networks
User clicks on link to a
malicious website
Malicious website silently
exploits client-side vulnerability
With Web Attack Toolkit
Drive-by download of
malicious payload
24. Targeted Attack Example
Source; http://infosec3t.com/wp-content/uploads/2010/03/contagio_targeted_attack_email_2.png
Copyright © 2014, Palo Alto Networks
25. Copyright © 2014, Palo Alto Networks
Source: http://www.symantec.com/threatreport/topic.jsp?id=malicious_code_trends&aid=triage_analysis_of_targeted_attacks
27. Detection-focused technology investments
Network Security
IPS deployed as IDS
App blades that only detect and report
SSL traffic allowed without decryption
When decrypted, SSL just port-mirrored
Sandboxes deployed to detect malware
Snort engines to detect traffic to high
risk IPs
Copyright © 2014, Palo Alto Networks
Endpoint Protection
Forensics agents to capture what happened
IOC scanners
Massive PCAP storage
Remediation tools to try and fix what was
detected
$1,000/hour incident response consultants
to tell you who stole your data
Answer: Detection and Prevention of Advanced Threats
28. Advanced threat requires a solution, not point products
1
Reduce the
attack surface
Known viruses
and exploits
Copyright © 2014, Palo Alto Networks
Client Exploit Command/Control
HTTP
SSL
DNS
URL / C&C
EXE, Java,
.LNK, DLL
High-risk
applications
2
Detect the
unknown
3
Create
protections
• Whitelist applications or block
high-risk apps
• Block known viruses, exploits
• Block commonly exploited file
types
• Analysis of all application
traffic
• SSL decryption
• WildFire sandboxing of
exploitive files
Detection and blocking of C&C via:
• Bad domains in DNS traffic
• URLs (PAN-DB)
• C&C signatures (anti-spyware)
Failed attempts Successful spear-phishing email Post-compromise activity
29. Why do you need network, endpoint, and cloud
Copyright © 2014, Palo Alto Networks
working together?
30. Requirements for a new approach
1 Prevent attacks - even attacks seen for the first time
2 Protect all users and applications - including mobile and virtualized
3 Seamlessly combine network and endpoint security, as each has unique strengths
4 Provide rapid analysis of new threats
Requires next-generation network, endpoint,
and threat intelligence cloud capabilities
Copyright © 2014, Palo Alto Networks
31. Platform approach
Next-Generation Firewall
Inspects all traffic
Blocks known threats
Sends unknown to cloud
Extensible to mobile &
virtual networks
Copyright © 2014, Palo Alto Networks
32. Platform approach
Copyright © 2014, Palo Alto Networks
Next-Generation Endpoint Protection
Inspects all processes and files
Prevents both known & unknown exploits
Integrates with cloud to prevent known &
unknown malware
33. Platform approach
Copyright © 2014, Palo Alto Networks
Threat Intelligence Cloud
Gathers potential threats from
network and endpoints
Analyzes and correlates threat
intelligence
Disseminates threat intelligence to
network and endpoints
34. The making of a platform: information sharing
Unknowns
Copyright © 2014, Palo Alto Networks
Unknowns &
zero-day
discoveries
35. The making of a platform: prevention distribution
Copyright © 2014, Palo Alto Networks
Real-time
signatures
36. The making of a platform: correlated analytics
Copyright © 2014, Palo Alto Networks
Integrated reporting
Confirm detection
37. Reaching Effects of WildFire
AV Signatures DNS Signatures Malware URL Filtering Anti-C&C Signatures
Copyright © 2014, Palo Alto Networks
Threat Intelligence
Sources
WildFire Users
38. Next-Generation Appliances | Malware Management
WF-500 is a private cloud
Designed for organizations with regulatory or privacy concerns.
Copyright © 2014, Palo Alto Networks
WF-500
39. WildFire cloud-based architecture scales
Manual analysis
Copyright © 2014, Palo Alto Networks
Web Sandbox
Email Sandbox File share Sandbox
Central manager
APT Add-on Approach
WildFireTM
Public cloud or
Private cloud
appliance
WildFire Approach
Easy to manage
and operationalize
Scalable
Cost effective
Hard to manage
Doesn’t scale
Expensive
Requires multiple devices
at each ingress, egress,
and point of segmentation
40. WildFire Subscription
Copyright © 2014, Palo Alto Networks
WildFire WildFire
Subscription
WildFire analysis of PE analysis
Daily signature feed (TP subscription required)
WildFire logs integrated within PAN-OS
WildFire analysis of all other file types (PDF, MS Office, Java, Flash, APK*)
15-min signature feed
WildFire Cloud API key
Use of WF-500
41. Signature hierarchy
App-ID updates “IPS” signatures
Copyright © 2014, Palo Alto Networks
Weekly
(vulnerability, anti-spyware)
Daily
15-minute
IP geolocation
Antivirus Botnet support
(zone file, dynamic DNS, malware URLs)
DNS signatures
WildFire signatures
43. The failures of traditional approaches
EXE
Targeted Evasive Advanced
PDF NO
Copyright © 2014, Palo Alto Networks
Known signature?
NO
Known strings?
NO
Previously seen
behavior?
Legacy
Endpoint Protection
Malware
direct execution
Exploit
vulnerability
to run any code
44. Introducing Traps
The right way to deal with advanced cyber threats
Prevent Exploits
Including zero-day exploits
Prevent Malware
Including advanced & unknown malware
Collect Attempted-Attack Forensics
For further analysis
Scalable & Lightweight
Must be user-friendly and cover complete enterprise
Integrate with Network and Cloud Security
For data exchange and crossed-organization protection
Copyright © 2014, Palo Alto Networks
45. Block the core techniques – not the individual attacks
Software Vulnerability Exploits Exploitation Techniques
Thousands of new vulnerabilities and
Copyright © 2014, Palo Alto Networks
exploits a year
Only 2-4 new exploit techniques a year
Malware Malware Techniques
Millions of new malware every year
10’s – 100’s of new malware
sub-techniques every year
46. Exploitation technique prevention – Clandestine Fox
Preparation Triggering Circumvention Post Malicious Activity
Heap Spray Use after free Utilizing OS
Prevention of one technique in the chain will block the entire attack
Copyright © 2014, Palo Alto Networks
Memory
Corruption
Mitigation
Logic-Flaws
Real-Time
Intervention
OS
Functions
Shielding
Algorithmic
Memory Traps
Placement
function
ROP
CVE-2014-1776
47. Exploit technique prevention
how it works
Document is
opened by user
Copyright © 2014, Palo Alto Networks
Traps seamlessly
injected into
processes
CPU
<0.1%
Process is protected
as exploit attempt is
trapped
Forensic data
is collected
Reported
to ESM
Process is Safe!
terminated
Attack is blocked
before any successful
malicious activity
Useradmin is
notified
Traps triggers
immediate actions
When an exploitation attempt is made, the exploit hits a “trap” and fails before any
malicious activity is initiated.
48. Malware prevention
Policy-Based Restrictions
WildFire Inspection
Malware Techniques Mitigation
Copyright © 2014, Palo Alto Networks
Limit surface area of attack
control source of file installation
Prevent known malware
with cloud-based integration
Prevent unknown malware
with technique-based mitigation
49. User tries to
open executable
file
Copyright © 2014, Palo Alto Networks
Policy-based
Restrictions Applied
HASH checked
against WildFire
File is
allowed to
execute
Malware technique
prevention employed
Malware prevention
how it works
Safe!
Reported
to ESM
50. Forensics capture
Ongoing capture and attack-triggered capture
Copyright © 2014, Palo Alto Networks
Ongoing recording
- Any files execution
- Time of execution
- File name
- File HASH
- User name
- Computer name
- IP address
- OS version
- File’s malicious history
- Any interference with Traps service
- Traps Process shutdown attempt
- Traps Service shutdown attempt
- Related system logs
Exploit or malware hits a “trap” and
triggers real-time collection
- Attack-related forensics
- Time stamp
- Triggering File (non executable)
- File source
- Involved URLsURI
- Prevented exploitation technique
- IP address
- OS version
- Version of attempted vulnerable software
- All components loaded to memory under attacked process
- Full memory dump
- Indications of further memory corruption activity
- User name and computer name
51. Coverage and system requirements
Supported operating systems
Workstations
• Windows XP SP3
• Windows 7
• Windows 8.1
Servers
• Windows Server 2003
• Windows Server 2008 (+R2)
• Windows Server 2012 (+R2)
Copyright © 2014, Palo Alto Networks
Footprint
• 25 MB
• 0.1% CPU
• Very Low IO
52. Benefits
Copyright © 2014, Palo Alto Networks
Business
Prevent breaches,
not just detect
Increases business
continuity
Lowers TCO
Operations
Save time and
money on
Forensics and
remediation
Easy to manage,
does not require
frequent updates
Zero-day coverage
IT
Install patches on
your own schedule
Compatible with
existing solutions
Minimal
performance
impact
Intelligence
Access to threat
intel through
WildFire integration
Attack-triggered
forensics collection
54. East/West Traffic flows often greater than North/South flows
Copyright © 2014, Palo Alto Networks
Enterprise
Network
55. Security challenges
Physical firewalls may not see the East-West traffic
DB App Web
Copyright © 2014, Palo Alto Networks
Firewalls placement is designed
around expectation of layer 3
segmentation
Network configuration changes
required to secure East-West traffic
flows are manual, time-consuming
and complex
Ability to transparently insert
security into the traffic flow is
needed
Hypervisor
Hardware
Firewall
56. Security challenges
Static policies cannot keep pace with dynamic workload deployments
Copyright © 2014, Palo Alto Networks
Provisioning of applications can occur
in minutes with frequent changes
Security approvals and configurations
may take weeks/months
Dynamic security policies that
understand VM context are needed
57. What happens when a VM is vMotioned?
App Web
Hypervisor
Copyright © 2014, Palo Alto Networks
DB
Hypervisor
vMotion
Data Center
Core Network
Hardware
Firewall
58. VM-Series Next Generation Security Platform
Copyright © 2014, Palo Alto Networks
• Consistent Features as hardware-based next-generation
firewall
App-ID
User-ID
Content-ID
Wildfire
• Inspects and Safely Enables Intra-Host
Communications (East-West traffic)
• Tracks VM Creation and Movement with
Dynamic Address Group objects
API integration with orchestration: Automate
Workflows
Centrally Managed through Panorama 58 | ©2014, Palo Alto Networks. Confidential and Proprietary.
59. VM-Series deployment options
VM-Series for VMware
vSphere (ESXi)
• VM-100, VM-200, VM-300, and
VM-1000-HV deployed as guest
VMs on VMware ESXi
• Deployed as part of virtual
network configuration for East-
West traffic inspection
Copyright © 2014, Palo Alto Networks
VM-Series for Citrix NetScaler
SDX
• VM-100, VM-200, VM-300, and
VM-1000-HV deployed as guest VMs
on Citrix NetScaler SDX
• Consolidates ADC and security
services for multi-tenant and Citrix
XenApp/XenDesktop deployments
VM-Series for VMware NSX
• VM-Series for NSX deployed as a
service with VMware NSX and
Panorama
• Ideal for East-West traffic inspection
60. Dynamic Address Groups and VM Monitoring
VMware vCenter or ESXi
Name IP
Guest OS Container
web-sjc-01 10.1.1.2
Ubuntu 12.04 Web
sp-sjc-04 10.1.5.4
Win 2008 R2 SharePoint
web-sjc-02 10.1.1.3
Ubuntu 12.04 Web
exch-mia-03 10.4.2.2
Win 2008 R2 Exchange
exch-dfw-03 10.4.2.3
Win 2008 R2 Exchange
sp-mia-07 10.1.5.8
Win 2008 R2 SharePoint
db-mia-01 10.5.1.5
Ubuntu 12.04 MySQL
db-dfw-02 10.5.1.2
Ubuntu 12.04 MySQL
Copyright © 2014, Palo Alto Networks
PAN-OS Dynamic Address Groups
Name
Tags Addresses
SharePoint
Win 2008 R2
“sp”
SharePoint Servers
MySQL Servers
MySQL Servers
MySQL
Ubuntu 12.04
“db”
Miami DC
Miami DC
“mia”
San Jose Linux
Web Servers
San Jose Linux
Web Servers
“sjc”
“web”
Ubuntu 12.04
10.1.5.4
10.1.5.8
10.5.1.5
10.5.1.2
10.4.2.2
10.1.5.8
10.5.1.5
10.1.1.2
10.1.1.3
PAN-OS Security Policy
Source Destination Action
SharePoint Servers
San Jose Linux
Web Servers ✔
MySQL
Servers
Miami DC
db-mia-05 10.5.1.9 Ubuntu 12.04 MySQL
10.5.1.9
60 | ©2014, Palo Alto Networks. Confidential and Proprietary.
61. Copyright © 2014, Palo Alto Networks
Model Sessions Rules Security
Zones
Address
Objects
IPSec VPN
Tunnels
SSL VPN
Tunnels
VM-100 50,000 250 10 2,500 25 25
VM-200 100,000 2,000 20 4,000 500 200
VM-300 250,000 5,000 40 10,000 1,000 500
VM-1000-HV 250,000 10,000 40 100,000 2,000 500
62. 2 Core Configuration:
Core 1 = Management Plane
Core 2 = Data Plane
4 Core Configuration:
Core 1 = Management Plane
Core 2 = Data Plane: Read & Transmit packets
Core 3 & Core 4 = Data Plane: Process packets
8 Core Configuration:
Core 1 = Management Plane
Core 2 = Data Plane: Reads packets
Core 3 = Data Plane: Transmit packets
Core 4 thru Core 8 = Data Plane: Process packets
Copyright © 2014, Palo Alto Networks
Effect of dedicating cores
63. Copyright © 2014, Palo Alto Networks
Safely Enabling Mobile Devices
GlobalProtect™
64. Challenge: Quality of Security Tied to Location
Headquarters Branch Offices
Enterprise-secured with
full protection
Copyright © 2014, Palo Alto Networks
malware
botnets
exploits
Airport Hotel Home Office
Exposed to threats, risky
apps, and data leakage
65. GlobalProtect™: Consistent Security Everywhere
•Headquarters •Branch Office
Copyright © 2014, Palo Alto Networks
malware
botnets
exploits
• VPN connection to a purpose-built firewall that is performing the security work
• Automatic protected connectivity for users both inside and outside
• Unified policy control, visibility, compliance and reporting
66. Unlocking The Potential of Mobile Depends On Security
Copyright © 2014, Palo Alto Networks
Intranet
Running Your
Business on
Mobile Devices
Benefits to Business
Mobile Maturity
Email
Accessing
Business Apps
67. New Approach to Safely Enabling Mobile Devices
Manage the Device Protect the Device Control the Data
Ensure devices are safely
enabled while simplifying
deployment & setup
• Ensure proper settings in
place, such as strong
passcodes and
encryption
• Simplify provisioning of
common configuration
like email and certificates
Copyright © 2014, Palo Alto Networks
Protect the mobile device
from exploits and
malware
• Protecting the device
from infection also
protects confidential
data and unauthorized
network access
Control access to data
and movement of
between applications
•Control access by app,
user, and device state
•Extend data movement
controls to the device to
ensure data stays within
“business apps”
68. GlobalProtect Mobile Security Solution
Copyright © 2014, Palo Alto Networks
GlobalProtect App
GlobalProtect Gateway
Delivers mobile threat
prevention and policy
enforcement based on apps,
users, content and device
state
Enables device management,
provides device state information,
and establishes secure
connectivity
GlobalProtect Mobile
Security Manager
Provides device
management, malware
detection, and device state
69. Manage The Device Manage Device Settings
Copyright © 2014, Palo Alto Networks
Enforce security settings such as passcode
Restricts device functions such as camera
Configure accounts such as email, VPN, Wi-
Fi settings
Understand Device State
Monitor and report device state for policy
enforcement, such as:
Whitelisted / blacklisted apps
Rooted / jailbroken
Perform Key Operations
Ex: lock, unlock, wipe, send a message
Detect Android Malware
Detect and react to the presence of malware
GlobalProtect Mobile
Security Manager
GlobalProtect App
70. Protect The Device Consistent Security Everywhere
Copyright © 2014, Palo Alto Networks
IPsec/SSL VPN connection to a
purpose- built next-generation
security platform for policy
enforcement regardless of the
device location
Mobile Threat Prevention
Vulnerability (IPS) and malware
(AV) protection for mobile threats
URL filtering for protection against
malicious websites
WildFire™ static and dynamic
analysis for advanced mobile
threats
Threats
GlobalProtect Gateway
GlobalProtect App
71. Control The Data
Copyright © 2014, Palo Alto Networks
Control Access to Applications and Data
Granular policy determines which users and
devices can access sensitive applications and
data
Policy criteria based on application, user,
content, device, and device state for control
and visibility
Identify device types such as iOS,
Android, Windows, Mac devices
Identify device ownership such as
personal (BYOD) or corporate issued
Identify device states such as
rooted/jailbroken
File blocking based on content and content
type
Control Data Movement Between Apps
on the Device
Solution provides the foundation for future
developments in data protection
Applications and Data
GlobalProtect Gateway
GlobalProtect App
73. Copyright © 2014, Palo Alto Networks
Internet
WildFire Cloud
Traps
Advanced Endpoint Protection